CVE-2020-20735 – This is a critical file upload vulnerability in... (How to Fix)

📋 TL;DR

This is a critical file upload vulnerability in LJCMS v4.3.R60321 that allows remote attackers to upload malicious files and execute arbitrary code on the server. Any organization running this specific version of LJCMS is affected, potentially leading to complete system compromise.

💻 Affected Systems

Products:

LJCMS

Versions: v4.3.R60321

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version mentioned; earlier/later versions may have different vulnerabilities.

📦 What is this software?

Ljcms by 8cms

View all CVEs affecting Ljcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with attacker gaining root/system-level access, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Webshell upload leading to data theft, defacement, and lateral movement within the network.

🟢

If Mitigated

Attack blocked at WAF/web application firewall level with file upload restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple file upload bypass with publicly available proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for updated version from LJCMS vendor
2. If no patch, consider migrating to alternative CMS
3. Apply workarounds immediately

🔧 Temporary Workarounds

File Upload Restriction

all

Restrict file uploads to specific extensions and implement server-side validation

# In web server config or .htaccess
<FilesMatch "\.(php|phtml|php3|php4|php5|phps|php7|php8|inc|pl|py|jsp|asp|aspx|sh|cgi)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

Directory Permissions

linux

Set upload directory to no-execute permissions

chmod -R 755 /path/to/upload/directory
chown -R www-data:www-data /path/to/upload/directory

🧯 If You Can't Patch

Implement WAF rules to block malicious file uploads
Disable file upload functionality entirely if not required

🔍 How to Verify

Check if Vulnerable:

Check LJCMS version in admin panel or via version file; if version is exactly 4.3.R60321, system is vulnerable.

Check Version:

Check /ljcms/version.txt or admin panel version display

Verify Fix Applied:

Test file upload functionality with malicious extensions; verify uploads are properly validated and restricted.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /ljcms/index.php
POST requests with file upload parameters
Execution of unexpected PHP files in upload directories

Network Indicators:

HTTP POST requests to /ljcms/index.php with file upload content
Outbound connections from web server to unknown IPs

SIEM Query:

source="web_logs" AND uri="/ljcms/index.php" AND method="POST" AND (file_upload="true" OR contains(content_type, "multipart/form-data"))

📊 Metadata

CVE ID: CVE-2020-20735

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 20, 2023

Last Updated: December 10, 2024

🔗 References

https://github.com/0xyu/PHP_Learning/issues/2 Broken Link
https://github.com/0xyu/PHP_Learning/issues/2 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-20735, you might also want to check these: